Snort mailing list archives

Re: Snort ->Barnyard2

From: beenph <beenph () gmail com>
Date: Mon, 29 Aug 2011 23:57:13 -0400

On Mon, Aug 29, 2011 at 11:08 PM, James Kaufman
<jmk () kaufman eden-prairie mn us> wrote:

Snort 2.9.1 is running on my CentOS 5.6 server. I compiled snort from
tarball:

# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

# ps -aef|grep snort

snort    31528     1  0 Aug27 ?        00:03:17 /usr/local/bin/snort -b
-d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

I have this in snort.conf:

# unified2
# Recommended for most installs
output unified2: filename merged.log, limit 128, nostamp

There are no other uncommented output lines.

/var/log/snort has:

# dir -l
total 1168
-rw-r--r-- 1 root  root  676540 Aug 28 09:47 alert
-rw------- 1 snort snort 149779 Aug 27 13:52 snort.log.1314471019
-rw------- 1 snort snort 339181 Aug 28 09:47 snort.log.1314471620


Have you tried to look on your system for merged.log* file?

Also if you intend to use barnyard2 make sure to remove the nostamp
option from your snort.conf output unified2 line,
barnyard running in continuous wont  process it , and after 128mb
snort will overwrite your file (unless this benavior has changed).

Is your snort process freshly restarted or did you kill -HUP it with
some config changes?

Are you sure the your snort process is using the good config file?

I hope this can help you.

-elz

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort ->Barnyard2 James Kaufman (Aug 29)
- Re: Snort ->Barnyard2 beenph (Aug 29)